stackoom
  简体   繁体   中英

Recommended way to to redirect HTTP requests to HTTPS

 原文  2016-05-03 11:13:58       apache/ .htaccess/ http/ ssl/ https

Question

I've some doubt on how to do redirect all my http pages to https.

I've saw that are someone that tell to do a rewrite like in this reply :

And Apache says to do in this way

Anyone can explain me what is the recommended way to make this change

2 answers

solution1
 3 ACCPTED  2016-05-03 11:29:27

The only secure way to redirect http to https is to use HSTS (Header Strict-Transport-Security) with the preload option.

The apache redirect is insecure because an attacker can intercept it and rewrite it. Unfortunately, for older browser and browser how didn't preload HSTS, it's your only option: 

<VirtualHost *:80>
      ServerName www.example.com
      Redirect "/" "https://www.example.com/"
</VirtualHost>

Apache redirect

In the https response: 

<VirtualHost *:443>
      # Use HTTP Strict Transport Security to force client to use secure connections only
      # Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
      Header always set Strict-Transport-Security "max-age=31536000"

      # Further Configuration goes here
      [...]
</VirtualHost>

HSTS

Or, using .htaccess: 

# Redirect if http
RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# set header if https
# Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS

The Header Strict-Transport-Security (HSTS) has 2 effects:

  • For the visitor, it tells the browsers to only use https on that domain and all sub-domains for one year (all http request will be rewrite as https request without network interaction)
  • For browsers vendors, the 'preload' keyword allow them to preload the website in their source code. With that, you avoid the first insecure request: the browser already know that website commit to https. Note that HSTS+preload can't be rolled back , it's a definitive commit to security (but it's the strength of it: an attacker can't remove it too)

The HSTS in comment is the most secure one but can't be rolled back:

  • Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

The HSTS not in comment is less secure because the first connection can still be insecure, and do not protect subdomains:

  • Strict-Transport-Security "max-age=31536000"

HSTS is the only reliable protection against SSLTrip

SEO implications: If the website already redirect all http webpage to https then that header has no negative (and no positive) affect.

solution2
 0  2016-05-03 11:15:42

Add just below or above Document Root in /etc/apache2/sites-available/yoursite.conf

Redirect permanent / https://your-site.com/

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question how to redirect https requests to http Redirect all http requests (including subdomains) to https Apache Redirect certain HTTPS requests to HTTP not working htaccess https redirect for http requests fails on subfolders Redirect non-www and www http requests to https://www Redirect Loop while redirecting all http requests to https using .htaccess Redirect all HTTP requests (non-www & www, subdomains) to HTTPS force https on a single page, and then redirect other requests to http Redirect all HTTP/HTTPS requests Apache to a specific website and then back Http requests redirected to https
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM